Highlighted
michael_skirtun Absent Member.
Absent Member.
846 views

WIN10/ZEN17 Group Policys Randomly/sometimes not applied

Hello Everyone,

we are starting to use W10 (1803 ENT) with ZEN 17.4, OES Client, NO WIN DOMAIN.

I have a problem with our GPOs:

sometimes the GPO are not effective on our Clients. The GPO Files are downloaded to the GroupPolicy Folder correctly - but are not applied.

If we start a gpupdate /force manually, the GPOs get applied correctly. Also, if we start RSOP, i see all GPOs are downloaded to the GroupPolicy Folder.

I think that - maybe(!) - that is a timing problem between ZEN Agent and the WIN Foreground GPO Processing at Login.

Please help! Many THANKS 🙂
Labels (1)
0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not applie

Are you able to Open an SR or are you a School System with Limited SRs?


michael_skirtun;2495577 wrote:
Hello Everyone,

we are starting to use W10 (1803 ENT) with ZEN 17.4, OES Client, NO WIN DOMAIN.

I have a problem with our GPOs:

sometimes the GPO are not effective on our Clients. The GPO Files are downloaded to the GroupPolicy Folder correctly - but are not applied.

If we start a gpupdate /force manually, the GPOs get applied correctly. Also, if we start RSOP, i see all GPOs are downloaded to the GroupPolicy Folder.

I think that - maybe(!) - that is a timing problem between ZEN Agent and the WIN Foreground GPO Processing at Login.

Please help! Many THANKS 🙂
0 Likes
michael_skirtun Absent Member.
Absent Member.

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

Hi,

i now opened a SR for our problem.

I logged a user loging from an other session via process monitor.
I see inside of that log that svchost.exe, zapp.exe AND zenworksagent trying to write/access the files inside of system32\grouppolicy at the same time - and for that reason all of them get access errors sometimes....


best regards

Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

If you post the SR Here...I can track....

Also for any SR dealing with GPOs, along with a "ZENINFO" in debug.....
Grab "C:\Program Files (x86)\Novell\ZENworks\bin\handlers\CacheFiles"
Grab the system32\GroupPolicy folder

the GPSVC.log
https://blogs.technet.microsoft.com/csstwplatform/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2/ (Still same key in W10)
0 Likes
michael_skirtun Absent Member.
Absent Member.

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

Hello,

SR is SR#101219506831.
0 Likes
michael_skirtun Absent Member.
Absent Member.

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

I read a lot about how policy works inside windows and traced a lot in the last two weeks.
Now a am pretty sure what happens:
The Zenagent copy the old backupd policy (or simply nothing if the machine has no local policy) back to system32\groupolicy before shutdown.
After login, the Zenagent copy the ZEN attached Policy back to sys32\grouppolicy and initiate a gpupdate.
Sometimes the buildin windows login triggered gpupdate (windows foreground policy update, which runs after every login) runs at the same time.
I logged the login process, inside of the log i see the zenagent deleting sys32\grouppolicy\machine\registry.pol and creating it about 500ms later.
I think that right in that 500ms gap the windows triggered gpupdate applies the empty policy - or that svchost reads and locks the sys32\grouppolicy\***\registry.pol files at the time Zenworks wants to write the files.

Is there any possibilty to prevent Zenagent to backup the local stored gpo? I think that would solve out problem. We do not need the old or empty local policy to be backed up, we only use ZEN based GPO.

I now used the workaround from
https://support.microfocus.com/kb/doc.php?id=7017792
to workwround our problem.
But i think that this is not a "final" soulution, i think that is only a workaround...

any ideas?

best regards

Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

Best bet is to open an SR.....
Post SR# here or Private Message it to me

If you can't Private Message me your contact info....
0 Likes
Knowledge Partner
Knowledge Partner

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not apply

I'm now back on this issue. Did you ever get a result from your SR? I'm about to open one myself.

In my case, after debugging this the whole day today, it now happens consistently for the user GPO (which is dead simple, only 2k), and it happens *only* when the workstation has been shutdown completely (vs reboot), and when you login quick as soon when it's possible.

I looked at the logs, and in my case windows is clearly applying the policy, *before* the zen service writes it to c:\windows\system32\grouppolicy\user.

 

Another odd effect: When this occurs, and you try gpupdate /force within the first 5 minutes after login, gpudate will hang until it times out after it's default wait time of 10 minutes. The very second it times out, the policy gets applied properly.

If I run let's say gpudate /force /wait:30, and the wait time is over before the 5 Minutes, the policy simply won't apply. If I start above 5 minutes or more after the login, the policy applies fine.

This is Windows 10 1809. Something is *seriously* odd here.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: WIN10/ZEN17 Group Policys Randomly/sometimes not applied

On 19.02.2019 14:46, michael skirtun wrote:
>
> Hello Everyone,
>
> we are starting to use W10 (1803 ENT) with ZEN 17.4, OES Client, NO WIN
> DOMAIN.
>
> I have a problem with our GPOs:
>
> sometimes the GPO are not effective on our Clients. The GPO Files are
> downloaded to the GroupPolicy Folder correctly - but are not applied.
>
> If we start a gpupdate /force manually, the GPOs get applied correctly.
> Also, if we start RSOP, i see all GPOs are downloaded to the GroupPolicy
> Folder.
>
> I think that - maybe(!) - that is a timing problem between ZEN Agent and
> the WIN Foreground GPO Processing at Login.
>
> Please help! Many THANKS 🙂


FTR: We're seeing the same thing with 1809, and it clearly seems to be a
timing issue. When users login fast when the desktop comes up, device
assigned policies are sometimes not applied at all or only partly.
For example, our main policy disables cortana and configures windows
update settings. Sometimes, while the windows updates are set properly,
cortana is active despite the policy.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.